Professional Documents
Culture Documents
Darktrace’s Self-Learning AI never sleeps – meaning your team can trust that there is always an intelligent solution
autonomously detecting, investigating, and responding in real time to threats as they emerge, without the need for
configuration or constant tuning.
Instead, Darktrace learns the unique ‘patterns of life’ of your business and spots even the most subtle deviations
from normal behavior that point to an attack – from advanced threats like Dharma ransomware, to zero-day
nation-state attacks like APT41. The technology does not rely on rules or signatures, but rather uses unsupervised
machine learning and advanced Bayesian mathematics to identify nuanced changes in activity.
Two core capabilities of the self-learning technology, Cyber AI Analyst and Enhanced Monitoring models, are
Figure 1: Darktrace autonomously detects and designed to be reviewed within minutes. For teams that only wish to check the Darktrace Immune System interface
responds to threats with surgical precision, 24/7 briefly every day, these provide the platform’s most vital benefits: the ability to instantly understand a situation and
take immediate action when things are burning, where response time is of the essence.
Data Sheet | 2
Autonomous Investigations:
How Cyber AI Analyst Augments the Human On-demand Investigations
For teams that only have five minutes a day to use Darktrace, the most critical While Incident Reports are always created for the most critical threats at any
capability to leverage is Cyber AI Analyst, which allows you to see immediately the one time, investigations can be applied on demand to suspicious devices or
most significant threats happening in real time. Cyber AI Analyst autonomously users by simply selecting the time window, the device or user of interest, and
investigates every threat detected and highlights the highest-priority incidents at then clicking the ‘Investigate’ button within the Threat Visualizer. This provides
any one time – ensuring you see what needs attention right away. the ability to easily confirm assumptions about suspicious activity, proactively
threat hunt, effortlessly check on HR watchlists, or even help new starters on the
The technology pulls together related events into a clear Incident Report,
security team understand how to pull together an investigation.
including an AI-generated natural language summary and a visual timeline of
the threat. Security responders are able to grasp the severity of the incident
immediately - ensuring severe threats like ransomware, data exfiltration, and a
malicious insider attack are able to be actioned in minutes.
Incident Reports include a clear graphic pointing to where the threat sits in the
kill chain. If there are several phases, it’s likely a big attack and will need close,
immediate attention. Security teams can easily skim through the related devices,
subnets, scanning ports, sources, and the relevant details, which are all pulled Figure 3: Easily trigger on-demand AI-driven investigations
into one place in the report. Cyber AI Analyst makes it easy to take just a few
minutes to examine an incident and decide how to follow up. Seamless Interoperability
Cyber AI Analyst technology can also be integrated with tools across your
security stack, allowing investigations to be triggered based on data from
third-party sources like CrowdStrike or Carbon Black. The rich context and
insights of Incident Reports can additionally be exported to SIEM, SOAR, or
ticketing systems to enhance your existing workflows.
The Acknowledged/Unacknowledged filter shows or hides Acknowledged Like a human, Cyber AI Analyst uses an initial detection of unusual behavior as a
incidents. Incidents can be acknowledged on an event-by-event basis, in their starting point for investigations. The behavioral analysis it performs may discover
entirety in the Threat Visualizer, or in the Mobile App. Acknowledging a Cyber AI patterns of activity that were not the original trigger point for the detection but
Analyst incident does not acknowledge the underlying model breaches. are worthy of investigation.
Any pinned Cyber AI Analyst incidents will always appear in the left-hand side of Consequently, the event period may not correspond with the model breach
the incident tray. Click the 'Download Incidents' button to download a PDF report time. Additionally, some model breaches require sustained behaviors such as
containing all current incidents in the tray. repeated connections before breaching, so the final breach trigger may be later
than the connection of interest.
Figure 4: The Incident Tray shows the most significant incidents at any one time
Figure 5: Each Incident Report shows a clear visual timeline of all the
events involved
“With Cyber AI Analyst we can see the whole picture. It’s all right
there in one place, with all the context and details we’d need to
take action.”
Rick Bertoncin, Director of Technology & Security, Gallagher-Kaiser Corporation
Data Sheet | 4
Enhanced Monitoring: Highlighting Strong Indicators Autonomous Response: The Machine Fights Back
of Attack Darktrace Antigena provides 24/7 Autonomous Response, neutralizing threats
Another key feature that teams can easily take advantage of is the Enhanced as they emerge – giving understaffed and overworked teams the critical time
Monitoring model view. Based on a bespoke set of parameters for each necessary to catch up.
organization, they enable tailored defense of particularly sensitive data and
For small teams, the first step on the journey towards truly autonomous defense
vulnerabilities. When triggered, Enhanced Monitoring models are strong
is setting up Antigena to match your business needs. To that end, Antigena can
indicators of attack that immediately highlight to security teams the most heavy-
easily be configured according to a range of flexible parameters:
hitting threats.
Degree of Automation: Configure Antigena to be fully autonomous or to
Enhanced Model detections are available via the Threat Visualizer by selecting
require human approval before taking action
Threat Tray Filters and choosing Enhanced Monitoring. When Self-Learning AI
detects a threat related to an Enhanced Monitoring model, you can get automatic Use Cases: Tailor Antigena to cover specific business risks, from insider
email alerts for additional real-time notification. threats to external attacks
Scope: Consider where and to what extent Antigena actions should apply,
whether globally or per subnet, user, device, or threat model
Figure 8: Filter for Enhanced Monitoring to see the most critical Integration: Deploy Antigena to interface with third-party firewalls or
behavior detected network devices as a mechanism for response
Powered by Self-Learning AI, Antigena is the first and only solution that can
interrupt attacks at machine speed and with surgical precision, even if the
“It’s autonomous – AI Analyst and Antigena just work as threat is targeted or entirely unknown. Every second, Darktrace Antigena stops
an emerging cyber-attack – making it a critical tool for small teams to ensure
expected for high-risk incidents, and we let it do its thing.”
workforces and workloads are always protected.
Syed Hussaini, Cyber Security Analyst, Metricon Technology Group
Data Sheet | 6
The Darktrace platform was designed with an open and extensible architecture Darktrace Antigena can trigger Autonomous Response actions via
that seamlessly integrates with your existing investments. Customers can enhance integrations with firewalls and preventative controls for attacks that
and extend their Darktrace deployment via one-click integrations, including have gotten through. Darktrace can also ingest logs from firewalls and
the ability to immediately extend coverage to new cloud services, enrich the network devices to extend visibility as needed. Current customers can
platform’s analysis with new sources of log ingestion, and activate coordinated see the integrations guide here.
Autonomous Response via integrations with other security defenses. If you don’t
SIEMs and SOARs: Sharing AI Insights
see your chosen provider in Darktrace’s configuration page, custom templates
make it easy to set up bespoke integrations. Native integrations via API and syslog allow Darktrace to feed AI
detections and Cyber AI Analyst Incidents to SIEMs for analysis
LDAP: Authentication and Enriched Visibility
and correlation, as well as to SOAR solutions to trigger response
Integration with LDAP servers, such as Active Directory, can support playbooks. Darktrace can also poll SIEM and SOAR solutions to ingest
authenticated access to the Threat Visualizer, as well as enrichment of enrichment data, and SOAR playbooks can be configured to trigger
Darktrace's visibility by providing additional LDAP attributes for users. custom models and Cyber AI Analyst investigations in Darktrace.
Darktrace also provides the option to create LDAP group tags for Current customers can see the integrations guide here.
use in threat modeling. Current customers can see the integrations
Single Sign On: Seamless Access
guide here.
For ease of use, Darktrace natively supports authentication and
EDRs: Extending Endpoint Protection
access via SAML 2.0 Single Sign On. Current customers can see the
Darktrace can ingest EDR alerts as weak indicators that inform our integrations guide here.
AI's analysis across the business. EDR alerts can also trigger Cyber AI
Analyst investigations without the need for an underlying Darktrace
detection. Current customers can see the integrations guide on
alerting options here.
“One-click integrations help our team identify the things we
VPN & Zero Trust Technologies: Defending the Dynamic Workforce
need to see, connecting the dots, making those correlations, and
By integrating with VPN and zero trust services, Darktrace can extend then making those alerts actionable for us. There’s huge value in
its visibility across an increasingly distributed workforce. Low-effort that for us.”
native integrations and custom templates are available for any service
Austen Ewald, Network Analyst, St. Charles Community Unit School District
in this area. Current customers can see the access control integrations
guide here.
Data Sheet | 8
Figure 10: The Darktrace Immune System integrates seamlessly across the
security stack, improving productivity and ROI
Darktrace © Copyright 2021 Darktrace Holdings Limited. All rights reserved. Darktrace is a registered trademark of
Darktrace Holdings Limited. Enterprise Immune System and Threat Visualizer are unregistered trademarks of Darktrace
Holdings Limited. Other trademarks included herein are the property of their respective owners.